When vulnerability disclosure goes sour: New GitHub repo details legal threats and risks faced by ethical hackers

A new GitHub repository has been created to document and track the times when vulnerability disclosure has gone sour.

The Research Threats project details historical legal battles between researchers and the target organizations whose software was found to have security flaws.

It was built on top of data collected in an already-established list by security researcher and “vulnerability historian” Jericho, whose records date back to 2006.

Speaking to The Daily Swig, researcher Sick Codes, who alongside Jericho and Casey John Ellis maintains the repo, said the move to GitHub was made to give both researchers and organizations the opportunity to both upload and change information, something that “wouldn’t have happened” on the original website.

Research Threats is a ‘collection of over-reactions, demands, and cease and desist letters’

Judge or jury?

Research Threats offers a timeline of notable vulnerability disclosure incidents from 2006 up to the present day, including descriptions of the legal threat and how it was resolved, if at all.

It also has a ‘goodies’ folder, in which researchers can upload copies of correspondence they have received from companies or lawyers acting on their behalf.

Anyone can make pull requests to change the information in this growing database, creating a level playing field for all parties involved.

Making the timeline open source also improves its accuracy, reducing the risk of misreporting cases, according to Sick Codes.

The security researcher told The Daily Swig: “I’m not the judge and jury on any of these situations because, you know, people could lie and say they got a letter, but they were actually doing something bad… and that’s one of the issues we considered when we were thinking about like, should we put a time limit [on how long information can be changed] of like a month or something?

“And then we were like, that’s not really appropriate either because things could happen fast or slow.

“That’s why I put it up on GitHub so that people can actually project or review it [to] say well, besides this is not right, this is true… Anyway, it’s an experiment.”

Changing attitudes

Research Threats contains guidance for both researchers and organizations on how to work together in a “perfect” coordinated disclosure.

Regarding the timeline, Sick Codes said that having the information displayed in such a way shows the historical changes of certain companies attitudes towards ethical hacking.

Notable incidents in the list include two entries in 2008 when Apple was accused of cancelling talks at Black Hat, one due to a non-disclosure agreement, and another apparently due to the apprehension from the company’s marketing team.

Sick Codes told The Daily Swig many companies won’t appear twice: “Once they fix up the policy and get everything sorted out, especially getting a proper vulnerability disclosure policy with safe harbor and that sort of stuff involved, where it strictly says, like Apple’s one [policy] which says, ‘this supersedes every other violation as long as you report it to Apple’.”

Recent cases

While the project may demonstrate changing attitudes from companies such as Apple and Google, the repo may also serve as a reality check for organizations who are thinking of taking legal action following the private disclosure of vulnerabilities.

The most recent entry relates to an incident previously reported by The Daily Swig, during which security researcher Rob Dyke said he was served with a legal notice after a vulnerability disclosure went sour.

This incident has still not been resolved, as Dyke detailed in a blog post, leading the security researcher to pre-emptively crowdsource his potential legal fees.

Source: https://portswigger.net/daily-swig/when-vulnerability-disclosure-goes-sour-github-repo-details-legal-threats-and-risks-faced-by-ethical-hackers